b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2010\n\n\n\n                                       November 10, 2010\n\n                              Reference Number: 2011-20-003\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n  Redaction Legend:\n  2(f) = Risk Circumvention of Agency Regulation or Statute\n\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             November 10, 2010\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                              Information Security Management Act Report for Fiscal Year 2010\n                              (Audit # 201020010)\n\n We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\n Information Security Management Act (FISMA)1 report for the Fiscal Year 2010 FISMA\n evaluation period.2 The FISMA requires the Office of Inspector General to perform an annual\n independent evaluation of each Federal agency\xe2\x80\x99s information security policies, procedures, and\n practices, as well as evaluate its compliance with FISMA requirements. This report reflects our\n independent evaluation of the Internal Revenue Service\xe2\x80\x99s (IRS) information technology security\n program for the period under review.\n We based our evaluation of the IRS on the Office of Management and Budget\xe2\x80\x99s (OMB) FISMA\n 2010 Reporting Guidelines. During the 2010 evaluation period, we conducted 10 audits, as\n shown in Appendix II, to evaluate the adequacy of information security in the IRS. We\n considered the results of these audits in our evaluation. In addition, we evaluated a\n representative sample of 10 major IRS information systems for our FISMA work. For each\n system in the sample, we assessed the quality of the certification and accreditation process, the\n annual testing of controls for continuous monitoring, the testing of information technology\n contingency plans, and the quality of the Plan of Action and Milestones process. We also\n conducted tests to evaluate processes over configuration management, incident response and\n\n\n 1\n  44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549.\n 2\n  The Fiscal Year 2010 FISMA evaluation period for the Department of the Treasury is July 1, 2009, through\n June 30, 2010. All subsequent references to 2010 refer to the FISMA evaluation period.\n\x0c                        Treasury Inspector General for Tax Administration \xe2\x80\x93\n                           Federal Information Security Management Act\n                                    Report for Fiscal Year 2010\n\n\nreporting, security training, remote access, account and identity management, and contractor\noversight.\nIncluded in Appendix I are our responses to the OMB\xe2\x80\x99s 2010 FISMA checklist for the Inspectors\nGeneral. Major contributors to this report are listed in Appendix III.\nBased on our 2010 evaluation, we determined that the IRS\xe2\x80\x99s information security program was\ngenerally compliant with the FISMA legislation, OMB information security requirements, and\nrelated information security standards published by the National Institute of Standards and\nTechnology. We determined that the following program areas met the level of performance\nspecified by the OMB\xe2\x80\x99s 2010 FISMA checklist.\n    \xe2\x80\xa2   Certification and accreditation program.\n    \xe2\x80\xa2   Incident response and reporting program.\n    \xe2\x80\xa2   Remote access management.\nWhile the information security program was generally compliant with the FISMA legislation, the\nprogram was not fully effective as a result of the conditions identified in the following areas.\n    \xe2\x80\xa2   Configuration management.\n    \xe2\x80\xa2   Security training.\n    \xe2\x80\xa2   Plans of action and milestones.\n    \xe2\x80\xa2   Identity and access management.\n    \xe2\x80\xa2   Continuous monitoring management.\n    \xe2\x80\xa2   Contingency planning.\n    \xe2\x80\xa2   Contractor systems/financial audit.\nSpecific to the financial audit area, the Government Accountability Office (GAO) reported3\nnewly identified and unresolved information security control weaknesses in key financial and tax\nprocessing systems continue to jeopardize the confidentiality, integrity, and availability of\nfinancial and sensitive taxpayer information. Until these control weaknesses are corrected, the\nIRS remains unnecessarily vulnerable to insider threats related to the unauthorized access to and\ndisclosure, modification, or destruction of financial and taxpayer information, as well as the\ndisruption of system operations and services. These conditions were the basis for GAO\xe2\x80\x99s\ndetermination that the IRS had a material weakness in internal controls over financial reporting\nrelated to information security in Fiscal Year 2009.\n\n3\n INFORMATION SECURITY: IRS Needs to Continue to Address Significant Weaknesses (GAO-10-355, dated\nMarch 2010).\n                                                                                                    2\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93\n                         Federal Information Security Management Act\n                                  Report for Fiscal Year 2010\n\n\nCopies of this report are also being sent to the IRS managers affected by the report results.\nPlease contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\nInspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n                                                                                             3\n\x0c                                  Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                     Federal Information Security Management Act\n                                              Report for Fiscal Year 2010\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nAppendices\n          Appendix I \xe2\x80\x93 Results of the Treasury Inspector General for\n          Tax Administration\xe2\x80\x99s Federal Information Security\n          Management Act Review .............................................................................. Page 2\n          Appendix II \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security Reports Issued During the\n          2010 Evaluation Period ................................................................................. Page 21\n          Appendix III \xe2\x80\x93 Major Contributors to This Report....................................... Page 22\n          Appendix IV \xe2\x80\x93 Report Distribution List ....................................................... Page 23\n\x0c          Treasury Inspector General for Tax Administration \xe2\x80\x93\n             Federal Information Security Management Act\n                      Report for Fiscal Year 2010\n\n\n\n\n                    Abbreviations\n\nCIO          Chief Information Officer\nFCD1         Federal Continuity Directive 1\nFDCC         Federal Desktop Core Configuration\nFIPS         Federal Information Processing Standards\nFISMA        Federal Information Security Management Act\nGAO          Government Accountability Office\nHSPD         Homeland Security Presidential Directive\nIRS          Internal Revenue Service\nMOU          Memorandum of Understanding\nNIST         National Institute of Standards and Technology\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPIV          Personal Identity Verification\nPOA&M        Plan of Action and Milestones\nTIGTA        Treasury Inspector General for Tax Administration\nTT&E         Training, Testing, and Exercises\nUS-CERT      United States Computer Emergency Response Team\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                 Federal Information Security Management Act\n                                          Report for Fiscal Year 2010\n\n\n\n\n                                       Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. The IRS also relies extensively on computerized\nsystems to support its responsibilities in collecting taxes, processing tax returns, and enforcing\nthe Federal tax laws. As custodians of taxpayer information, the IRS has an obligation to protect\nthe confidentiality of this sensitive information against unauthorized access or loss. Otherwise,\ntaxpayers could be exposed to invasion of privacy and financial loss or damage from identity\ntheft or other financial crimes.\nThe Federal Information Security Management Act (FISMA)1 was enacted to strengthen the\nsecurity of information and systems within Federal agencies. As part of this legislation, each\nFederal Government agency is required to report annually to the Office of Management and\nBudget (OMB) on the effectiveness of its security programs. In addition, the FISMA requires\nthe Offices of Inspector General to perform an annual independent evaluation of each Federal\nagency\xe2\x80\x99s information security policies and procedures, as well as evaluate its compliance with\nFISMA requirements. In compliance with the FISMA requirements, the Treasury Inspector\nGeneral for Tax Administration (TIGTA) performs the annual independent evaluation of the\ninformation security program and practices of the IRS.\nThe OMB provides information security performance measures by which each agency is\nevaluated for the FISMA review. The OMB uses the information from the agencies and\nindependent evaluations to help assess agency-specific and Federal Governmentwide security\nperformance, develop its annual security report to Congress, and assist in improving and\nmaintaining adequate agency security performance.\nAttached is the TIGTA\xe2\x80\x99s Fiscal Year 2010 FISMA report. The report was forwarded to the\nTreasury Inspector General for consolidation into a report issued to the Department of the\nTreasury Chief Information Officer.\n\n\n\n\n1\n    44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549.\n                                                                                           Page 1\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                 Federal Information Security Management Act\n                                          Report for Fiscal Year 2010\n\n\n                                                                                                    Appendix I\n\n        Results of the Treasury Inspector General for\n          Tax Administration\xe2\x80\x99s Federal Information\n             Security Management Act Review1\n\nThe OMB issued a checklist for use by Offices of Inspectors General to assess the level of\nperformance achieved by agencies in the specified program areas during the 2010 FISMA\nevaluation period. This appendix presents our completed OMB checklist for the IRS.\nWe determined the level of performance (a, b, or c) that the IRS had achieved for each of the\nprogram areas listed. As defined by the OMB, agencies achieve an \xe2\x80\x9ca\xe2\x80\x9d status for the program\narea if they have met all the attributes specified by OMB in the \xe2\x80\x9ca\xe2\x80\x9d section. Agencies achieve a\n\xe2\x80\x9cb\xe2\x80\x9d status if they have established the program area, but significant improvements were needed.\nThe OMB listed conditions in the \xe2\x80\x9cb\xe2\x80\x9d section that, if in need of significant improvement, would\nprevent agencies from achieving an \xe2\x80\x9ca\xe2\x80\x9d status. Agencies achieve a \xe2\x80\x9cc\xe2\x80\x9d status if they have not yet\nestablished the program area.\nWe checked IRS program areas as an \xe2\x80\x9ca\xe2\x80\x9d status where we determined that the IRS met all the\nprogram attributes specified by the OMB. We checked IRS program areas as a \xe2\x80\x9cb\xe2\x80\x9d status where\nwe determined that one or more conditions listed by the OMB needed significant improvement at\nthe IRS. Due to time and resource constraints, we were not able to test all conditions listed by\nthe OMB in the \xe2\x80\x9cb\xe2\x80\x9d sections. Therefore, it is possible that more of these conditions exist at the\nIRS than those we have checked. We did not check any program areas as a \xe2\x80\x9cc\xe2\x80\x9d status because\nthe IRS has established all program areas listed by the OMB.\nFor our FISMA work, we evaluated a representative sample of 10 major IRS information\nsystems, which included 9 IRS systems and 1 contractor-managed system. Of these 10 systems,\n1 system had a Federal Information Processing Standards (FIPS) 199 impact level of high, and\n9 systems were of a moderate impact level. All 10 systems had a current certification and\naccreditation, had security controls tested within the past year, and had contingency plans tested\nin accordance with policy.\n\n\n\n\n1\n  Due to the nature of the listing that follows, abbreviations are used exactly as presented in the original document\nreproduced and are not defined therein. Please see the Abbreviations page after the Table of Contents of this report\nfor a listing of abbreviations.\n                                                                                                              Page 2\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                Federal Information Security Management Act\n                                         Report for Fiscal Year 2010\n\n\n                              RESPONSES TO FISCAL YEAR 2010\n                          OMB QUESTIONS FOR INSPECTOR GENERALS\nS1: Certification and Accreditation\nStatus of Certification         a. The Agency has established and is maintaining a certification and\nand Accreditation           9      accreditation program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                FISMA requirements. Although improvement opportunities may have been\n                                   identified by the OIG, the program includes the following attributes:\n                                   1. Documented policies and procedures describing the roles and\n                                       responsibilities of participants in the certification and accreditation\n                                       process.\n                                   2. Establishment of accreditation boundaries for Agency information\n                                       systems.\n                                   3. Categorizes information systems.\n                                   4. Applies applicable minimum baseline security controls.\n                                   5. Assesses risks and tailors security control baseline for each system.\n                                   6. Assessment of the management, operational, and technical security\n                                       controls in the information system.\n                                   7. Risks to Agency operations, assets, or individuals analyzed and\n                                       documented in the system security plan, risk assessment, or an equivalent\n                                       document.\n                                   8. The accreditation official is provided (i) the security assessment report\n                                       from the certification agent providing the results of the independent\n                                       assessment of the security controls and recommendations for corrective\n                                       actions; (ii) the plan of action and milestones from the information system\n                                       owner indicating actions taken or planned to correct deficiencies in the\n                                       controls and to reduce or eliminate vulnerabilities in the information\n                                       system; and (iii) the updated system security plan with the latest copy of\n                                       the risk assessment.\n                                b. The Agency has established and is maintaining a certification and\n                                   accreditation program. However, the Agency needs to make significant\n                                   improvements as noted below.\n                                c.   The Agency has not established a certification and accreditation program.\n1a. If b. checked above,        1a(1) Certification and accreditation policy is not fully developed.\n    check areas that need\n    significant                 1a(2) Certification and accreditation procedures are not fully developed,\n    improvement:                      sufficiently detailed, or consistently implemented.\n                                1a(3) Information systems are not properly categorized (FIPS 199/SP 800-60).\n                                1a(4) Accreditation boundaries for Agency information systems are not\n                                      adequately defined.\n                                1a(5) Minimum baseline security controls are not adequately applied to\n                                      information systems (FIPS 200/SP 800-53).\n                                1a(6) Risk assessments are not adequately conducted (SP 800-30).\n                                1a(7) Security control baselines are not adequately tailored to individual\n                                      information systems (SP 800-30).\n\n\n                                                                                                             Page 3\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                Federal Information Security Management Act\n                                         Report for Fiscal Year 2010\n\n\n                                1a(8) Security plans do not adequately identify security requirements\n                                      (SP 800-18).\n                                1a(9) Inadequate process to assess security control effectiveness (SP 800-53A).\n                                1a(10) Inadequate process to determine risk to Agency operations, Agency assets,\n                                       or individuals or to authorize information systems to operate (SP 800-37).\n                                1a(11) Inadequate process to continuously track changes to information systems\n                                       that may necessitate reassessment of control effectiveness (SP 800-37).\n                                1a(12) Other.\n\n                                Explanation for Other:\nComments:\n\nS2: Configuration Management\nStatus of Security              a. The Agency has established and is maintaining a security configuration\nConfiguration                      management program that is generally consistent with NIST's and OMB's\nManagement Program                 FISMA requirements. Although improvement opportunities may have been\n[check one]                        identified by the OIG, the program includes the following attributes:\n                                   1. Documented policies and procedures for configuration management.\n                                   2. Standard baseline configurations.\n                                   3. Scanning for compliance and vulnerabilities with baseline configurations.\n                                   4. FDCC baseline settings fully implemented and/or any deviations from\n                                       FDCC baseline settings fully documented.\n                                   5. Documented proposed or actual changes to the configuration settings.\n                                   6. Process for the timely and secure installation of software patches.\n                                b. The Agency has established and is maintaining a security configuration\n                            9      management program. However, the Agency needs to make significant\n                                   improvements as noted below.\n                                c. The Agency has not established a security configuration management\n                                   program.\n2a. If b. checked above,        2a(1) Configuration management policy is not fully developed.\n    check areas that need\n    significant             9 2a(2) Configuration management procedures are not fully developed or\n    improvement:                       consistently implemented.\n                                2a(3) Software inventory is not complete (NIST 800-53: CM-8).\n                                2a(4) Standard baseline configurations are not identified for all software\n                                      components (NIST 800-53: CM-8).\n                                2a(5) Hardware inventory is not complete (NIST 800-53: CM-8).\n                                2a(6) Standard baseline configurations are not identified for all hardware\n                                      components (NIST 800-53: CM-2).\n                                2a(7) Standard baseline configurations are not fully implemented\n                                      (NIST 800-53: CM-2).\n                                2a(8) FDCC is not fully implemented (OMB) and/or all deviations are not fully\n                                      documented.\n                                2a(9) Software scanning capabilities are not fully implemented\n                                      (NIST 800-53: RA-5, SI-2).\n\n                                                                                                             Page 4\n\x0c                                  Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                     Federal Information Security Management Act\n                                              Report for Fiscal Year 2010\n\n\n                                9 2a(10) Configuration-related vulnerabilities have not been remediated in a timely\n                                             manner (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n                                9     2a(11) Patch management process is not fully developed (NIST 800-53: CM-3,\n                                             SI-2).\n                                      2a(12) Other.\n\n                                      Explanation for Other:\nComments:\n2a(2): The IRS has not completed corrective actions to resolve the software configuration management component\nof the IRS computer security material weakness.2 Although the IRS has made progress in implementing its\nconfiguration management program, the IRS corrective action plan for resolving this material weakness indicates\nongoing corrective actions with scheduled completion dates ranging from April to December 2011. Until the IRS\nhas implemented adequate configuration management controls Agencywide, it cannot ensure the security and\nintegrity of system programs, files, and data.\n     \xe2\x80\xa2    1-3-20: Ensure security configuration requirements for all system software are documented in an IRS\n          Internal Revenue Manual. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-21: Implement and maintain baseline standard configurations on system software platforms and\n          perform scheduled testing. This capability covers translation of Internal Revenue Manuals into standard\n          build procedures and implementation/testing processes. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-22: Ensure system software is controlled under a documented change control process with procedures\n          for assessment of security impact, notifications to Designated Approving Authorities, and appropriate\n          baseline configuration updates. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-25: Establish and maintain collection and reporting of metrics to assess progress and track\n          improvements in all component activity implementations over time. Successful operation of the policy,\n          procedures, and plans for component activities for at least 2 consecutive quarters. Quarterly reviews by\n          Cybersecurity and annual FISMA security reviews will revalidate compliance. (Planned implementation\n          date of December 2011)\n2a(10): In March 2010, TIGTA reported3 that the IRS was not timely addressing high- and medium-risk system\nvulnerabilities that it identified on Automated Collection System servers. The IRS UNIX Policy Checker scans that\nthe IRS ran on the servers from January through May 2009 reported that some high- and medium-risk vulnerabilities\nremained on the servers for 2 to 5 months before system administrators took corrective actions.\n\n\n\n2\n  The IRS declared its security program as a material weakness in 1997. The IRS further categorized the material weakness into\nnine areas relating to computer security: (1) network access controls; (2) key computer applications and system access controls;\n(3) software configuration; (4) functional business, operating, and program units security roles and responsibilities;\n(5) segregation of duties between system and security administrators; (6) contingency planning and disaster recovery;\n(7) monitoring of key networks and systems; (8) security training; and (9) certification and accreditation. An Executive Steering\nCommittee oversees the plan, ensuring that material weakness areas are addressed by all affected organizations, appropriate\npolicy and procedures are implemented, and actions resolve the systemic cause of the material weakness. The IRS has closed\nfour of the material weakness areas: (4) functional business, operating, and program units security roles and responsibilities\n(5) segregation of duties between system and security administrators; (8) security training; and (9) certification and accreditation.\nThe TIGTA did not concur with the IRS\xe2\x80\x99s closure of area (4), functional business, operating, and program units security roles and\nresponsibilities.\n3\n  Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\nMarch 30, 2010).\n\n                                                                                                                           Page 5\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                Federal Information Security Management Act\n                                         Report for Fiscal Year 2010\n\n\nIn addition, during the 2010 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to evaluate IRS\nemail servers and found that the IRS is not taking timely actions to correct medium-risk security vulnerabilities\nidentified through monthly scans on its email servers. The Modernization and Information Technology Services\norganization\xe2\x80\x99s Enterprise Operations office uses the Windows Policy Checker to conduct monthly scans of its\n70 email servers. The scans conducted from September 2009 through February 2010 determined the servers failed\nbetween 73 and 79 medium-risk security checks each month. The number of failed security checks on each server\nwas the same each month.\n2a(11): The IRS computer security material weakness relating to configuration management includes unresolved\nweaknesses in the IRS patch management process. The IRS corrective action plan for resolving the patch\nmanagement weaknesses indicates the following two corrective actions will be completed in April 2011.\n    \xe2\x80\xa2   1-3-23: Ensure system software is patched under a documented process that includes standard procedures\n        and fall-back procedures, ensures patch testing, and ensures the dissemination, installation, and verification\n        of patch installations for all components. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-3-24: Internal and external monitoring and reporting on secure configuration setting changes and patch\n        levels. \xe2\x80\x9cReview\xe2\x80\x9d includes comparison to approved changes. \xe2\x80\x9cRemediation\xe2\x80\x9d includes followup on\n        noncompliant components and testing and implementation of proposed corrections. (Planned\n        implementation date of April 2011)\n2b. Identify baselines reviewed:\n2b(1) Software Name          None.\n2b(2) Software Version None.\n\nS3: Incident Response and Reporting\nStatus of Incident               a. The Agency has established and is maintaining an incident response and\nResponse & Reporting        9       reporting program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                 FISMA requirements. Although improvement opportunities may have been\n                                    identified by the OIG, the program includes the following attributes:\n                                    1. Documented policies and procedures for responding and reporting to\n                                        incidents.\n                                    2. Comprehensive analysis, validation, and documentation of incidents.\n                                    3. When applicable, reports to US-CERT within established time frames.\n                                    4. When applicable, reports to law enforcement within established time\n                                        frames.\n                                    5. Responds to and resolves incidents in a timely manner to minimize further\n                                        damage.\n                                 b. The Agency has established and is maintaining an incident response and\n                                    reporting program. However, the Agency needs to make significant\n                                    improvements as noted below.\n                                 c.   The Agency has not established an incident response and reporting program.\n3a. If b. checked above,         3a(1) Incident response and reporting policy is not fully developed.\n    check areas that need\n    significant                  3a(2) Incident response and reporting procedures are not fully developed,\n    improvement:                       sufficiently detailed, or consistently implemented.\n                                 3a(3) Incidents were not identified in a timely manner (NIST 800-53, 800-61,\n                                       and OMB M-07-16, M-06-19).\n\n\n                                                                                                              Page 6\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93\n                               Federal Information Security Management Act\n                                        Report for Fiscal Year 2010\n\n\n                                3a(4) Incidents were not reported to US-CERT as required (NIST 800-53,\n                                      800-61, and OMB M-07-16, M-06-19).\n                                3a(5) Incidents were not reported to law enforcement as required.\n                                3a(6) Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and\n                                      OMB M-07-16, M-06-19).\n                                3a(7) Incidents were not resolved to minimize further damage (NIST 800-53,\n                                      800-61, and OMB M-07-16, M-06-19).\n                                3a(8) There is insufficient incident monitoring and detection coverage\n                                      (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                3a(9) Other.\n\n                                Explanation for Other:\nComments:\n\nS4: Security Training\nStatus of Security              a. The Agency has established and is maintaining a security training program\nTraining Program                   that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n[check one]                        Although improvement opportunities may have been identified by the OIG,\n                                   the program includes the following attributes:\n                                   1. Documented policies and procedures for security awareness training.\n                                   2. Documented policies and procedures for specialized training for users\n                                        with significant information security responsibilities.\n                                   3. Appropriate training content based on the organization and roles.\n                                   4. Identification and tracking of all employees with login privileges that need\n                                        security awareness training.\n                                   5. Identification and tracking of employees without login privileges that\n                                        require security awareness training.\n                                   6. Identification and tracking of all employees with significant information\n                                        security responsibilities that require specialized training.\n                                b. The Agency has established and is maintaining a security training program.\n                            9      However, the Agency needs to make significant improvements as noted\n                                   below.\n                                c.   The Agency has not established a security training program.\n4a. If b. checked above,        4a(1) Security awareness training policy is not fully developed.\n    check areas that need\n    significant                 4a(2) Security awareness training procedures are not fully developed,\n    improvement:                      sufficiently detailed, or consistently implemented.\n                                4a(3) Specialized security training policy is not fully developed.\n                                4a(4) Specialized security awareness training procedures are not fully developed\n                                      or sufficiently detailed (SP 800-50, SP 800-53).\n                                4a(5) Training material for security awareness training does not contain\n                                      appropriate content for the Agency (SP 800-50, SP 800-53).\n                                4a(6) Identification and tracking of employees with login privileges that require\n                                      security awareness training is not adequate (SP 800-50, SP 800-53).\n\n\n                                                                                                          Page 7\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                 Federal Information Security Management Act\n                                          Report for Fiscal Year 2010\n\n\n                                  4a(7) Identification and tracking of employees without login privileges that\n                                          require security awareness training is not adequate (SP 800-50,\n                                          SP 800-53).\n                                  4a(8) Identification and tracking of employees with significant security\n                                          information security responsibilities is not adequate (SP 800-50,\n                                          SP 800-53).\n                                  4a(9) Training content for individuals with significant information security\n                                          responsibilities is not adequate (SP 800-53, SP 800-16).\n                                  4a(10) Less than 90 percent of employees with login privileges attended security\n                                          awareness training in the past year.\n                                  4a(11) Less than 90 percent of employees, contractors, and other users with\n                                          significant security responsibilities attended specialized security awareness\n                                          training in the past year.\n                             9    4a(12) Other(s).\n                                     (i): Not all contractors with staff-like access were provided with security\n                                          awareness training.\n                                      (ii): Until the IRS improves its identification and tracking of employees and\n                                           contractors with significant security responsibilities, the percentage of\n                                           those who completed specialized security training in the past year cannot\n                                           be verified.\n                                  Explanation for Other(s):\n                                     (i): In accordance with FISMA requirements, IRS policy requires the Agency\n                                          to provide security awareness training to inform all IRS employees and\n                                          contractors of the information security risks associated with their activities\n                                          and their responsibilities in complying with IRS policies and procedures\n                                          designed to reduce these risks. However, in June 2010, the GAO reported\n                                          that the IRS did not provide security awareness training for all IRS\n                                          contractors, such as janitors and security guards, who are provided\n                                          unescorted physical access to its facilities containing taxpayer receipts and\n                                          information.4 Based on the GAO\xe2\x80\x99s finding, the IRS stated it updated its\n                                          policy as of September 7, 2010, to require all contractors to take security\n                                          awareness training suitable to their type of access. The IRS also stated that\n                                          it modified its contractor tracking system to track the completion of the\n                                          required training modules for each contractor during the Fiscal Year 2011\n                                          FISMA evaluation period.\n                                     (ii): We were unable to definitively determine the percentage of employees and\n                                           contractors with significant security responsibilities that completed\n                                           specialized security training in the Fiscal Year 2010 FISMA evaluation\n                                           period. The IRS reported 6,014 of 6,029 (99.8 percent) employees\n                                           completed their required hours of specialized security training for the\n                                           Fiscal Year 2010 FISMA evaluation period. The IRS did not track\n\n\n\n\n4\n Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations\n(GAO-10-565R, dated June 2010).\n\n                                                                                                               Page 8\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                   Federal Information Security Management Act\n                                            Report for Fiscal Year 2010\n\n\n                                            contractor completion of specialized security training. In a recent TIGTA\n                                            review,5 we reported that the IRS needed to improve processes to identify\n                                            all IRS employees and contractors performing in security roles requiring\n                                            specialized training. The IRS had not yet documented in its official policy\n                                            five security roles that the Department of the Treasury policy states must\n                                            receive specialized training. As a result, the IRS agreed to update its\n                                            policy to include all security roles in existence at the IRS and crosswalk\n                                            these with its current training curriculum. In addition, the IRS stated it has\n                                            recently modified its contractor tracking system to identify contractors that\n                                            require specialized training and plans to write policy and associated\n                                            security clauses to require contractors to comply with these training\n                                            requirements, to be effective for the Fiscal Year 2012 FISMA evaluation\n                                            period. Until the IRS completes these actions, we cannot verify the\n                                            population of IRS employees and contractors that require specialized\n                                            training or the numbers of those that completed their required training.\nComments:\n\nS5: POA&M\nStatus of Plan of Action            a. The Agency has established and is maintaining a POA&M program that is\n& Milestones (POA&M)                   generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements and tracks\nProgram [check one]                    and monitors known information security weaknesses. Although improvement\n                                       opportunities may have been identified by the OIG, the program includes the\n                                       following attributes:\n                                       1. Documented policies and procedures for managing all known IT security\n                                            weaknesses.\n                                       2. Tracks, prioritizes, and remediates weaknesses.\n                                       3. Ensures remediation plans are effective for correcting weaknesses.\n                                       4. Establishes and adheres to reasonable remediation dates.\n                                       5. Ensures adequate resources are provided for correcting weaknesses.\n                                       6. Program officials and contractors report progress on remediation to CIO\n                                            on a regular basis, at least quarterly, and the CIO centrally tracks,\n                                            maintains, and independently reviews/validates the POA&M activities at\n                                            least quarterly.\n                                    b. The Agency has established and is maintaining a POA&M program that tracks\n                              9        and remediates known information security weaknesses. However, the Agency\n                                       needs to make significant improvements as noted below.\n                                    c.   The Agency has not established a POA&M program.\n5a. If b. checked above,            5a(1) POA&M policy is not fully developed.\n    check areas that need\n    significant                     5a(2) POA&M procedures are not fully developed, sufficiently detailed, or\n    improvement:                          consistently implemented.\n                              9 5a(3) POA&Ms do not include all known security weaknesses (OMB M-04-25).\n\n\n5\n More Actions Are Needed to Correct the Security Roles and Responsibilities Portion of the Computer Security Material\nWeakness (Reference Number 2010-20-084, dated August 26, 2010).\n\n                                                                                                                    Page 9\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                   Federal Information Security Management Act\n                                            Report for Fiscal Year 2010\n\n\n                                   5a(4) Remediation actions do not sufficiently address weaknesses\n                                         (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security Controls).\n                                   5a(5) Initial dates of security weaknesses are not tracked (OMB M-04-25).\n\n                                   5a(6) Security weaknesses are not appropriately prioritized (OMB M-04-25).\n\n                                   5a(7) Estimated remediation dates are not reasonable (OMB M-04-25).\n\n                                   5a(8) Initial target remediation dates are frequently missed (OMB M-04-25).\n                                   5a(9) POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3,\n                                          Control CA-5, & OMB M-04-25).\n                                   5a(10) Costs associated with remediating weaknesses are not identified\n                                          (NIST SP 800-53, Rev. 3, Control PM-3 & OMB M-04-25).\n                                   5a(11) Agency CIO does not track and review POA&Ms (NIST SP 810-53m,\n                                          Rev. 3, Control CA-5 & OMB M-04-25).\n                                   5a(12) Other:\n                              9           Security weaknesses were closed in POA&Ms before effective corrective\n                                          action was taken.\n                                   Explanation for Other:\n                                          In August 2009, the TIGTA reported6 that the IRS had prematurely\n                                          reported resolution of 6 of 13 security control vulnerabilities in the\n                                          POA&M for the Customer Accounts Data Engine before effective\n                                          corrective action was taken.\n                                            In May 2010, the TIGTA reported7 that the IRS closed four POA&M\n                                            weaknesses identified in the Modernized e-File system before effective\n                                            corrective action was taken.\n                                            During the 2010 FISMA evaluation period, the IRS took steps to improve\n                                            its POA&M procedures, including requiring system owners to document\n                                            sufficient detail regarding how weaknesses were remediated before\n                                            changing their status to \xe2\x80\x9ccompleted.\xe2\x80\x9d We reviewed the weaknesses that\n                                            were closed during the 2010 FISMA cycle for our 10 sample systems and\n                                            found system owners had documented information to support their\n                                            corrective actions. However, we did not find information to indicate that\n                                            required verifications were performed before closing these weaknesses as\n                                            per IRS policy. The Cybersecurity organization indicated that this\n                                            verification step may be implemented during the next FISMA cycle,\n                                            depending on available resources.\nComments:\n5a(3): In May 2010, the TIGTA reported8 that security weaknesses identified by the IRS at seven of the eight\ncontractor facilities we sampled were not maintained in POA&Ms as required by the FISMA. These weaknesses\n\n\n6\n  Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing\nIndividual Tax Account Information (Reference Number 2009-20-100, dated August 28, 2009).\n7\n  Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and\nSecurity Need Improvement (Reference Number 2010-20-041, dated May 26, 2010).\n\n                                                                                                                  Page 10\n\x0c                               Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                  Federal Information Security Management Act\n                                           Report for Fiscal Year 2010\n\n\nincluded access control, configuration management control, and system integrity control issues. The IRS agreed\nwith our report finding that these security weaknesses should be tracked in POA&Ms.\nIn addition, during the Fiscal Year 2010 FISMA evaluation period, the TIGTA completed fieldwork on an audit to\nevaluate IRS email servers and found that medium-risk weaknesses the IRS repeatedly detected on its email servers\nthrough monthly scans were not posted to POA&Ms. Monthly scans conducted from September 2009 through\nFebruary 2010 determined that the servers failed between 73 and 79 medium-risk security checks each month.\n\n\nS6: Remote Access Management\nStatus of Remote Access            a. The Agency has established and is maintaining a remote access program that\nProgram [check one]           9       is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n                                      Although improvement opportunities may have been identified by the OIG,\n                                      the program includes the following attributes:\n                                      1. Documented policies and procedures for authorizing, monitoring, and\n                                           controlling all methods of remote access.\n                                      2. Protects against unauthorized connections or subversion of authorized\n                                           connections.\n                                      3. Users are uniquely identified and authenticated for all access.\n                                      4. If applicable, multi-factor authentication is required for remote access.\n                                      5. Authentication mechanisms meet NIST Special Publication 800-63\n                                           guidance on remote electronic authentication, including strength\n                                           mechanisms.\n                                      6. Requires encrypting sensitive files transmitted across public networks or\n                                           stored on mobile devices and removable media such as CDs and flash\n                                           drives.\n                                      7. Remote access sessions are timed-out after a maximum of 30 minutes of\n                                           inactivity, after which re-authentication is required.\n                                   b. The Agency has established and is maintaining a remote access program.\n                                      However, the Agency needs to make significant improvements as noted\n                                      below.\n                                   c.   The Agency has not established a program for providing secure remote access.\n6a. If b. checked above,           6a(1) Remote access policy is not fully developed.\n    check areas that need\n    significant                    6a(2) Remote access procedures are not fully developed, sufficiently detailed, or\n    improvement:                         consistently implemented.\n                                   6a(3) Telecommuting policy is not fully developed (NIST 800-46 Section 5.1).\n                                   6a(4) Telecommuting procedures are not fully developed or sufficiently detailed\n                                         (NIST 800-46 Section 5.4).\n                                   6a(5) Agency cannot identify all users who require remote access (NIST 800-46\n                                         Section 4.2, Section 5.1).\n                                   6a(6) Multi-factor authentication is not properly deployed (NIST 800-46\n                                         Section 2.2, Section 3.3).\n\n\n\n8\n Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure (Reference\nNumber 2010-20-51, dated May 18, 2010).\n\n                                                                                                               Page 11\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                Federal Information Security Management Act\n                                         Report for Fiscal Year 2010\n\n\n\n                                6a(7) Agency has not identified all remote devices (NIST 800-46 Section 2.1).\n                                6a(8) Agency has not determined all remote devices and/or end user computers\n                                       have been properly secured (NIST 800-46 Section 3.1 and Section 4.2).\n                                6a(9) Agency does not adequately monitor remote devices when connected to the\n                                       Agency\xe2\x80\x99s networks remotely (NIST 800-46 Section 3.2).\n                                6a(10) Lost or stolen devices are not disabled and appropriately reported\n                                       (NIST 800-46 Section 4.3, US-CERT Incident Reporting Guidelines).\n                                6a(11) Remote access rules of behavior are not adequate (NIST 800-53, PL-4).\n                                6a(12) Remote access user agreements are not adequate (NIST 800-46 Section 5.1\n                                       & NIST 800-53, PS-6).\n                                6a(13) Other.\n\n                                Explanation for Other:\n\n\nS7: Identity and Access Management\nStatus of Account and           a. The Agency has established and is maintaining an account and identity\nIdentity Management                management program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                FISMA requirements and identifies users and network devices. Although\n                                   improvement opportunities may have been identified by the OIG, the program\n                                   includes the following attributes:\n                                   1. Documented policies and procedures for account and identity\n                                       management.\n                                   2. Identifies all users, including Federal employees, contractors, and others\n                                       who access Agency systems.\n                                   3. Identifies when special access requirements (e.g., multi-factor\n                                       authentication) are necessary.\n                                   4. If multi-factor authentication is in use, it is linked to the Agency\xe2\x80\x99s PIV\n                                       program.\n                                   5. Ensures that the users are granted access based on needs and separation of\n                                       duties principles.\n                                   6. Identifies devices that are attached to the network and distinguishes these\n                                       devices from users.\n                                   7. Ensures that accounts are terminated or deactivated once access is no\n                                       longer required.\n                                b. The Agency has established and is maintaining an account and identity\n                            9      management program that identifies users and network devices. However, the\n                                   Agency needs to make significant improvements as noted below.\n                                c.   The Agency has not established an account and identity management program.\n7a. If b. checked above,        7a(1) Account management policy is not fully developed.\n    check areas that need\n    significant             9 7a(2) Account management procedures are not fully developed, sufficiently\n    improvement:                        detailed, or consistently implemented.\n                                7a(3) Active directory is not properly implemented (NIST 800-53, AC-2).\n                                7a(4) Other non-Microsoft account management software is not properly\n                                      implemented (NIST 800-53, AC-2).\n\n                                                                                                        Page 12\n\x0c                                 Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                    Federal Information Security Management Act\n                                             Report for Fiscal Year 2010\n\n\n                                     7a(5) Agency cannot identify all User and Non-User accounts (NIST 800-53,\n                                           AC-2).\n                                     7a(6) Accounts are not properly issued to new users (NIST 800-53, AC-2).\n                                9 7a(7) Accounts are not properly terminated when users no longer require access\n                                            (NIST 800-53, AC-2).\n                                     7a(8) Agency does not use multi-factor authentication when required\n                                            (NIST 800-53, IA-2).\n                                     7a(9) Agency has not adequately planned for implementation of PIV for logical\n                                            access (HSPD-12, FIPS 201, OMB M-05-24, OMB M-07-06,\n                                            OMB M-08-01).\n                                9    7a(10) Privileges granted are excessive or result in capability to perform\n                                            conflicting functions (NIST 800-53, AC-2, AC-6).\n                                     7a(11) Agency does not use dual accounts for administrators (NIST 800-53,\n                                            AC-5, AC-6).\n                                     7a(12) Network devices are not properly authenticated (NIST 800-53, IA-3).\n\n                                     7a(13) Other.\n\n                                     Explanation for Other:\nComments:\n7a(2): The IRS has not completed corrective actions to resolve the component of the IRS computer security material\nweakness relating to access controls. While the IRS\xe2\x80\x99s corrective action plan for this material weakness indicates\nprogress has been made in completing the planned actions, there are still ongoing corrective actions with scheduled\ncompletion dates ranging from April to December 2011. These involve ensuring that effective access controls are\nimplemented IRS-wide. Until the IRS completes these corrective actions, it cannot ensure that access to key\ncomputer applications and systems is limited to authorized persons for authorized purposes.\n    \xe2\x80\xa2   1-2-20: Develop implementation plan to ensure that corrective actions 1-2-11, 12, 13, 14, 15, and 169 can be\n        applied to all organizations, systems, and applications to full levels of effectiveness regarding policies,\n        procedures, implementations, monitoring, and testing. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-2-21: Execute implementation plan to ensure that corrective actions 1-2-11, 12, 13, 14, 15, and 16 can be\n        applied to all organizations, systems, and applications to full levels of effectiveness regarding policies,\n        procedures, implementations, monitoring, and testing. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-2-22: Establish and maintain collection and reporting of metrics to assess progress and track improvements\n        in all component activity implementations over time. Successful operation of the policy, procedures, and\n        plans for component activities for at least two consecutive quarters. Quarterly review by Cybersecurity and\n        annual FISMA security review will revalidate compliance. (Planned implementation date of\n        December 2011)\n7a(7): In July 2009, the TIGTA reported10 that, in a sample of 7 systems, 53 of 376 contractors had active user\naccounts but did not have a business need to access these systems. These 53 contractors consisted of contractors\nwhose job duties or access privileges had changed and no longer needed system access, contractors who had\n\n\n9\n  These corrective actions listed relate to account management procedures, including controlling user authorizations and levels of\nprivileges on all systems, applications, databases, and other software. This footnote also applies the corrective action 1-2-21.\n10\n   Computer System Access Controls Over Contractors Need to Be Improved (Reference Number 2009-20-108, dated July 24,\n2009).\n\n                                                                                                                        Page 13\n\x0c                               Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                  Federal Information Security Management Act\n                                           Report for Fiscal Year 2010\n\n\nseparated from the contract with the IRS, and contractors who had never logged on to the system or had not logged\non to the system within 45 calendar days. We also identified 15 contractors whose system access was not deleted in\na timely manner upon separation from the contract with the IRS. The IRS agreed with our report findings. The IRS\nstated that, effective September 7, 2010, it began tracking information from contractors concerning employee status\nchanges, including separations and changes in duties, to ensure timely account termination when access is no longer\nrequired.\nIn addition, in March 2010, the TIGTA reported11 that the Registered User Portal, which allows tax professionals to\nelectronically submit and retrieve tax-related information, was not configured to disable and remove users\xe2\x80\x99 access\naccounts in accordance with IRS security policies and procedures. Rather than implement the control to disable\ninactive accounts after 45 days as required by IRS policy, the IRS set the control to 720 days. In addition, the IRS\ndid not implement a control to remove inactive accounts. Inactive accounts unnecessarily increase the opportunity\nfor malicious individuals to gain access to taxpayer data through an unused account.\n7a(10): In July 2009, the TIGTA reported12 that, from a sample of 7 IRS systems, 12 system development\ncontractors had access and full privileges to the production environment of the system on which they worked, in\nviolation of the IRS policy on separation of duties. Developers with access to the production system could bypass\ncontrols and make unapproved and untested changes. In addition, 39 system administration contractors also had\ndatabase administrator privileges. This lack of separation of duties could jeopardize the integrity of the data and\nallow unauthorized changes to the data to go undetected. The IRS stated it is now notifying contractors during the\non-boarding process of the separation of duties requirement and requiring contractors to identify which one of those\nduties they will perform, if any.\nIn addition, in March 2010, the TIGTA reported13 that 6 of 109 sampled employees\xe2\x80\x99 system privileges on the\nAutomated Collection System were not restricted to only those privileges needed to perform assigned duties.\nExcessive privileges granted included the ability to increase the privileges of other users and to perform\nmanagement queries to view large amounts of sensitive tax collection data. When users are granted access\npermissions beyond their assigned responsibilities, the risks of malicious actions and unauthorized disclosure of\ntaxpayer data are increased. In addition, 58 employees had unneeded privileges that allowed them the authority to\ncreate, modify, or delete the system audit trails. These actions, taken either accidently or intentionally, could\nconceal unauthorized activity and compromise the integrity of the audit trail.\n\n\n\n\n11\n   Additional Security Is Needed for Access to the Registered User Portal (Reference Number 2010-20-027, dated\nMarch 31, 2010).\n12\n   Computer System Access Controls Over Contractors Need to Be Improved (Reference Number 2009-20-108, dated\nJuly 24, 2009).\n13\n   Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\nMarch 30, 2010).\n\n                                                                                                                 Page 14\n\x0c                           Treasury Inspector General for Tax Administration \xe2\x80\x93\n                              Federal Information Security Management Act\n                                       Report for Fiscal Year 2010\n\n\n\n\nS8: Continuous Monitoring Management\nStatus of Continuous           a. The Agency has established an entity-wide continuous monitoring program\nMonitoring Program                that assesses the security state of information systems that is generally\n[check one]                       consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although\n                                  improvement opportunities may have been identified by the OIG, the program\n                                  includes the following attributes:\n                                  1. Documented policies and procedures for continuous monitoring.\n                                  2. Documented strategy and plans for continuous monitoring, such as\n                                       vulnerability scanning, log monitoring, notification of unauthorized\n                                       devices, sensitive new accounts, etc.\n                                  3. Ongoing assessments of selected security controls (system-specific,\n                                       hybrid, and common) that have been performed based on the approved\n                                       continuous monitoring plans.\n                                  4. Provides system authorizing officials and other key system officials with\n                                       security status reports covering updates to security plans and security\n                                       assessment reports, as well as POA&M additions.\n                               b. The Agency has established an entity-wide continuous monitoring program\n                           9      that assesses the security state of information systems. However, the Agency\n                                  needs to make significant improvements as noted below.\n                               c.   The Agency has not established a continuous monitoring program.\n8a. If b. checked above,       8a(1) Continuous monitoring policy is not fully developed.\n    check areas that\n    need significant           8a(2) Continuous monitoring procedures are not fully developed or consistently\n    improvement:                     implemented.\n                               8a(3) Strategy or plan has not been fully developed for entity-wide continuous\n                                     monitoring (NIST 800-37).\n                               8a(4) Ongoing assessments of selected security controls (system-specific, hybrid,\n                                     and common) have not been performed (NIST 800-53, NIST 800-53A).\n                               8a(5) The following were not provided to the system authorizing official or other\n                                     key system officials: security status reports covering continuous\n                                     monitoring results, updates to security plans, security assessment reports,\n                                     and POA&Ms (NIST 800-53, NIST 800-53A).\n                               8a(6) Other:\n                           9         The IRS has not resolved its computer security material weakness relating\n                                     to audit logging.\n                               Explanation for Other:\n                                      The IRS has not completed corrective actions to resolve the audit logging\n                                      component of the IRS computer security material weakness. The IRS\n                                      corrective action plan for resolving the audit logging weakness indicates\n                                      that there are still ongoing corrective actions with scheduled completion\n                                      dates ranging from February 2011 to October 2013. Until corrective\n                                      actions are completed to resolve the audit logging material weakness, the\n                                      IRS cannot effectively monitor key networks and systems to identify\n                                      unauthorized activities and inappropriate system configurations.\n\n\n\n                                                                                                       Page 15\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                   Federal Information Security Management Act\n                                            Report for Fiscal Year 2010\n\n\n                                            During the 2010 FISMA evaluation period, the TIGTA reported that the\n                                            IRS continues to have problems with audit logging. In March 2010, the\n                                            TIGTA reported14 that the IRS does not analyze the audit logs for the\n                                            Registered User Portal system to detect unlawful or unauthorized\n                                            activities. Consequently, unauthorized access to taxpayer data could go\n                                            undetected.\n                                            In March 2010, the TIGTA reported15 that the IRS is not capturing all of\n                                            the required auditable events in Automated Collection System audit trails.\n                                            The IRS informed us that enabling all required auditing events would\n                                            negatively affect system performance.\n                                            In July 2010, the TIGTA reported16 **********2(f)*****************\n                                            ***********************************************************\n                                            **********************************************************\n                                            **********************************************************\n                                            ***********************************************************\n                                            **********************************************************\n                                            **********************************************************\n                                            **********************************************************.\nComments:\n\nS9: Contingency Planning\nStatus of Contingency               a.   The Agency established and is maintaining an entity-wide business\nPlanning Program                         continuity/disaster recovery program that is generally consistent with NIST\xe2\x80\x99s\n[check one]                              and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may\n                                         have been identified by the OIG, the program includes the following\n                                         attributes:\n                                         1. Documented business continuity and disaster recovery policy providing\n                                              the authority and guidance necessary to reduce the impact of a disruptive\n                                              event or disaster.\n                                         2. The Agency has performed an overall Business Impact Assessment.\n                                         3. Development and documentation of division, component, and IT\n                                              infrastructure recovery strategies, plans, and procedures.\n                                         4. Testing of all system-specific contingency plans.\n                                         5. The documented business continuity and disaster recovery plans are ready\n                                              for implementation.\n                                         6. Development of training, testing, and exercises (TT&E) approaches.\n                                         7. Performance of regular ongoing testing or exercising of continuity/disaster\n                                              recovery plans to determine effectiveness and to maintain current plans.\n\n\n\n\n14\n   Additional Security Is Needed for Access to the Registered User Portal (Reference Number 2010-20-027, dated\nMarch 31, 2010).\n15\n   Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\nMarch 30, 2010).\n16\n   Additional Actions and Resources Are Needed to Resolve the Audit Trail Portion of the Computer Security Material Weakness\n(Reference Number 2010-20-082, dated July 28, 2010).\n\n                                                                                                                   Page 16\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93\n                               Federal Information Security Management Act\n                                        Report for Fiscal Year 2010\n\n\n                                b. The Agency has established and is maintaining an entity-wide business\n                            9      continuity/disaster recovery program. However, the Agency needs to make\n                                   significant improvements as noted below.\n                                c. The Agency has not established a business continuity/disaster recovery\n                                   program.\n9a. If b. checked above,        9a(1) Contingency planning policy is not fully developed.\n    check areas that need\n    significant                 9a(2) Contingency planning procedures are not fully developed or consistently\n    improvement:                       implemented.\n                                9a(3) An overall business impact assessment has not been performed\n                                       (NIST SP 800-34).\n                                9a(4) Development of organization, component, or infrastructure recovery\n                                       strategies and plans has not been accomplished (NIST SP 800-34).\n                                9a(5) A business continuity/disaster recovery plan has not been developed\n                                       (FCD1, NIST SP 800-34).\n                                9a(6) A business continuity/disaster recovery plan has been developed, but not\n                                       fully implemented (FCD1, NIST SP 800-34).\n                                9a(7) System contingency plans missing or incomplete (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(8) Critical systems contingency plans are not tested (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(9) Training, testing, and exercises approaches have not been developed\n                                       (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                9a(10) Training, testing, and exercises approaches have been developed, but are\n                                       not fully implemented (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                9a(11) Disaster recovery exercises were not successful (NIST SP 800-34).\n                                9a(12) After-action plans did not address issues identified during disaster recovery\n                                       exercises (FCD1, NIST SP 800-34).\n                                9a(13) Critical systems do not have alternate processing sites (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(14) Alternate processing sites are subject to same risks as primary sites (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(15) Backups of information are not performed in a timely manner (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(16) Backups are not appropriately tested (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(17) Backups are not properly secured and protected (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                            9   9a(18) Other:\n                                       The IRS has made significant progress, but has not resolved its material\n                                       weakness relating to disaster recovery controls.\n                                Explanation for Other:\n                                       The IRS has not yet fully implemented adequate processes to ensure\n                                       disaster recovery capabilities are implemented IRS-wide. While the IRS\xe2\x80\x99s\n                                       material weakness corrective action plan indicates progress has been made\n                                       in mitigating disaster recovery issues, the following disaster recovery\n                                       corrective actions are still ongoing with scheduled completion dates\n\n                                                                                                          Page 17\n\x0c            Treasury Inspector General for Tax Administration \xe2\x80\x93\n               Federal Information Security Management Act\n                        Report for Fiscal Year 2010\n\n\n                   ranging from October 2010 to December 2011. These involve ensuring\n                   effective disaster recovery controls are implemented IRS-wide. Until the\n                   IRS has completed its corrective actions to resolve this weakness, it cannot\n                   ensure critical business systems can be timely restored when unexpected\n                   events occur.\n                     \xe2\x80\xa2   1-6-16 \xe2\x80\x93 Disaster Recovery Compliance: Complete internal\n                         auditing of the disaster recovery efforts to ensure accuracy and\n                         completeness as it relates to day-to-day operations and efforts to\n                         mitigate the material weakness. Establish and maintain metrics\n                         documentation to assess progress and track improvements in all\n                         component activities over time. Conduct an annual evaluation to\n                         revalidate compliance. (Planned implementation date of July 2011)\n                     \xe2\x80\xa2   1-6-17 \xe2\x80\x93 Disaster Recovery Plans: Develop and maintain\n                         Information Technology contingency plans associated with general\n                         support systems to include all components that support critical\n                         applications. Establish and maintain data and processing\n                         backup-recovery capability. Ensure maximum allowable outage\n                         times meet the recovery time objectives of the applications being\n                         supported. (Planned implementation date of December 2010)\n                     \xe2\x80\xa2   1-6-19 \xe2\x80\x93 Technical Assessment: Perform annual system risk\n                         assessments. Develop a true redundancy/resilience analysis. Based\n                         on the critical business processes, develop a site-based restoration\n                         vulnerability analysis. Create a Recovery Point Objective and\n                         Recovery Time Objective analysis and gain concurrence from both\n                         the business operating divisions and the Modernization and\n                         Information Technology Services organizations. Incorporate a\n                         technical assessment tool that will provide an infrastructure impact\n                         analysis in the event of a disaster. Implement backup-recovery\n                         capabilities to meet application maximum allowable outages and\n                         recovery time objectives of all Information Technology systems\n                         supporting the critical business processes. (Planned implementation\n                         date of July 2011)\n                     \xe2\x80\xa2   1-6-20 \xe2\x80\x93 Metrics: Establish and maintain metrics to assess progress\n                         and track improvements in all component activities over time.\n                         Successful operation of the policy, procedures, and plans for\n                         component activities for at least two quarters. Annual FISMA\n                         testing will revalidate compliance. (Planned implementation date of\n                         December 2011)\nComments:\n\n\n\n\n                                                                                     Page 18\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93\n                               Federal Information Security Management Act\n                                        Report for Fiscal Year 2010\n\n\n\n\nS10/S11: Contractor Systems/Financial Audit\nStatus of Agency                a.  The Agency has established and maintains a program to oversee systems\nProgram to Oversee                  operated on its behalf by contractors or other entities. Although improvement\nContractor Systems                  opportunities may have been identified by the OIG, the program includes the\n[check one]                         following attributes:\n                                    1. Documented policies and procedures for information security oversight of\n                                         systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities\n                                         of the Agency obtains sufficient assurance that security controls of\n                                         systems operated by contractors or others on its behalf are effectively\n                                         implemented and comply with Federal and Agency guidelines.\n                                    2. A complete inventory of systems operated on the Agency\xe2\x80\x99s behalf by\n                                         contractors or other entities.\n                                    3. The inventory identifies interfaces between these systems and\n                                         Agency-operated systems.\n                                    4. The Agency requires agreements (MOUs, Interconnect Service\n                                         Agreements, contracts, etc.) for interfaces between these systems and\n                                         those that it owns and operates.\n                                    5. The inventory, including interfaces, is updated at least annually.\n                                    6. Systems that are owned or operated by contractors or entities are subject\n                                         to and generally meet NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n                                b. The Agency has established and maintains a program to oversee systems\n                            9       operated on its behalf by contractors or other entities. However, the Agency\n                                    needs to make significant improvements as noted below.\n                                c. The Agency does not have a program to oversee systems operated on its\n                                    behalf by contractors or other entities.\n10a.If (b) checked above,       10a(1) Policies to oversee systems operated on the Agency\xe2\x80\x99s behalf by contractors\n    check areas that need               or other entities are not fully developed.\n    significant                 10a(2) Procedures to oversee systems operated on the Agency\xe2\x80\x99s behalf by\n    improvement:                        contractors or other entities are not fully developed or consistently\n                                        implemented.\n                            9   10a(3) The inventory of systems owned or operated by contractors or other\n                                        entities is not sufficiently complete.\n                                10a(4) The inventory does not identify interfaces between contractor/\n                                        entity-operated systems to Agency-owned and operated systems.\n                                10a(5) The inventory of contractor/entity-operated systems, including interfaces,\n                                        is not updated at least annually.\n                                10a(6) Systems owned or operated by contractors and entities are not subject to\n                                        NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements (e.g., certification and\n                                        accreditation requirements).\n                                10a(7) Systems owned or operated by contractors and entities do not meet NIST\xe2\x80\x99s\n                                        and OMB\xe2\x80\x99s FISMA requirements (e.g., certification and accreditation\n                                        requirements).\n                                10a(8) Interface agreements (e.g., MOUs) are not properly documented,\n                                        authorized, or maintained.\n                                10a(9) Other.\n                                Explanation for Other:\n\n                                                                                                        Page 19\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                 Federal Information Security Management Act\n                                          Report for Fiscal Year 2010\n\n\nComments:\n10a(3): The IRS was unable to provide us with a definitive inventory of contractor managed systems and agreed\nthat this inventory required improvement. In May 2010, the TIGTA reported17 that current processes were not\neffective at identifying all contractors who receive IRS taxpayer data and therefore are subject to required security\nreviews. The IRS agreed with our finding and has implemented an automated mechanism to identify all contractors\nthat have access to sensitive data. This information will be available to target sites for security reviews during the\nFiscal Year 2012 review cycle. The IRS stated it will also use this information to determine which of these meet the\ndefinition of a contractor system. In addition, where contracts may not fall into the definition of a contract system,\nthe IRS is working towards developing new contract language to address security requirements and to potentially\nprovide these contractors with IRS-configured laptops to help enforce security policy.\n11. Financial Audit          11a. For the latest Financial Audit Report issued for the Agency, please provide the date\n                                  of the report and indicate whether there was a material weakness or reportable\n                                  condition concerning information security.\n                            Input for 11a:\n                            In March 2010, the GAO reported18 newly identified and unresolved information\n                            security control weaknesses in key financial and tax processing systems continue to\n                            jeopardize the confidentiality, integrity, and availability of financial and sensitive\n                            taxpayer information. Until these control weaknesses and program deficiencies are\n                            corrected, the IRS remains unnecessarily vulnerable to insider threats related to the\n                            unauthorized access to and disclosure, modification, or destruction of financial and\n                            taxpayer information, as well as the disruption of system operations and services. The\n                            new and unresolved weaknesses and deficiencies at the IRS were the basis for the\n                            GAO\xe2\x80\x99s determination that the IRS had a material weakness in internal controls over\n                            financial reporting related to information security in Fiscal Year 2009.\n\n\n\n\n17\n   Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure (Reference\nNumber 2010-20-051, dated May 18, 2010).\n18\n   INFORMATION SECURITY: IRS Needs to Continue to Address Significant Weaknesses (GAO-10-355, dated March 2010).\n\n                                                                                                            Page 20\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93\n                       Federal Information Security Management Act\n                                Report for Fiscal Year 2010\n\n\n                                                                           Appendix II\n\nTreasury Inspector General for Tax Administration\n Information Technology Security Reports Issued\n        During the 2010 Evaluation Period\n\n1. Computer System Access Controls Over Contractors Need to Be Improved (Reference\n   Number 2009-20-108, dated July 24, 2009).\n2. Customer Account Data Engine Release 4 Includes Most Planned Capabilities and\n   Security Requirements for Processing Individual Tax Account Information (Reference\n   Number 2009-20-100, dated August 28, 2009).\n3. Significant Improvements Have Been Made to Protect Sensitive Data on Laptop\n   Computers and Other Portable Electronic Media Devices (Reference\n   Number 2009-20-120, dated August 31, 2009).\n4. Progress Has Been Made, but Additional Steps Are Needed to Ensure Taxpayer Accounts\n   Are Monitored to Detect Unauthorized Employee Accesses (Reference\n   Number 2009-20-119, dated September 9, 2009).\n5. While Effective Actions Have Been Taken to Address Previously Reported Weaknesses in\n   the Protection of Federal Tax Information at State Government Agencies, Additional\n   Improvements Are Needed (Reference Number 2010-20-003, dated November 10, 2009).\n6. Additional Security Controls Are Needed to Protect the Automated Collection System\n   (Reference Number 2010-20-028, dated March 30, 2010).\n7. Additional Security Is Needed for Access to the Registered User Portal (Reference\n   Number 2010-20-027, dated March 31, 2010).\n8. Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or\n   Disclosure (Reference Number 2010-20-051, dated May 18, 2010).\n9. Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax\n   Returns, but System Development and Security Need Improvement (Reference\n   Number 2010-20-041, dated May 26, 2010).\n10. Implementation of General Support System Security Controls Needs Improvement to\n    Protect Taxpayer Data (Reference Number 2010-20-063, dated June 7, 2010).\n\n\n\n\n                                                                                   Page 21\n\x0c                        Treasury Inspector General for Tax Administration \xe2\x80\x93\n                           Federal Information Security Management Act\n                                    Report for Fiscal Year 2010\n\n\n                                                                             Appendix III\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nJoan Bonomi, Senior Auditor\nRichard Borst, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nLarry Reimer, Senior Auditor\nFrank O\xe2\x80\x99Connor, Auditor\nVictor Taylor, Auditor\n\n\n\n\n                                                                                     Page 22\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93\n                          Federal Information Security Management Act\n                                   Report for Fiscal Year 2010\n\n\n                                                                  Appendix IV\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nLiaison: Chief Technology Officer OS:CTO\n\n\n\n\n                                                                         Page 23\n\x0c"